Elevation and Zero Trust: How to install programs when you need Administrator privilege

What is Zero Trust?

Put simply Zero Trust refers to the ability to block any program from running on computers unless it has been explicitly approved.

This new service serves two purposes:

  1. Reducing the risk of malicious use of legitimate programs that may not have been already blocked by your antivirus, by ensuring that only approved programs can run on your computers
  2. Reducing the risk of accidentally allowing users to run programs with the highest privileges by providing a mechanism for review and approval of all administrative rights elevation requests

What will be the experience for end-users?

When end-users run a program that has not been previously authorized or when they try to run a program with administrative privileges (“Run as administrator”), the following will happen:

  • The end-user will be presented with a pop-up window in the lower-right corner of Windows, allowing them to request access to the program or authorization to run the program with elevated privileges
  • If the user choses to request access, it will trigger a new request in our ticketing system (and an email to all internal administrators, see below)
  • After our technicians review the request and either approve or deny it, the end-user will be notified via email that they can proceed with running the program (or that they have been denied access)
  • For frequent requests or to allow more than one user the use of a program, we may verify with you whether the request should be authorized for just this computer (default case) or whether we should make a policy that will apply to all computers (for example if this is for a new line-of-business application)

There are thousands of perfectly good programs throughout the world, do you need to authorize every single last one of them?

With Zero Trust the answer is Yes. Fortunately the fine folks who maintain Threat Locker are constantly monitoring new programs across all their clients and add new “behind the scene” policies for common programs as soon as they are available, so the vast majority of known good programs are already listed in your account and will not need further approval.In addition we have already deployed the Threat Locker agent to all your computers over the past few weeks and those agents have been busy learning and cataloguing your normal programs so they are already approved for normal use.

Is there a document I can send all our staff to help them properly request access?

Yes, you will receive a separate email that contains instructions on how to handle access or elevation requests. We encourage you to forward that instructional email to all your staff as soon as possible.

Can someone on our team approve those requests or do they all have to go through Wooden Spoon tech support?

The platform allows us to create as many administrator accounts as you may need for your own access to the management portal. While the possibilities of the program are quite daunting, we have prepared a document for internal administrators to quickly bypass the whole authorization process when required (for example you need to allow a 3rd party vendor access to a computer right away). You will receive another email containing instructions for administrators. Please let us know who you would like to receive that access and we will send them an email invitation to the platform.

Rather than bypassing those requests, can my administrators learn to properly approve requests?

We are happy to train your internal administrators on the proper use of the platform, including how to create applications and policies, in one-on-one hands-on sessions. Be aware that this is highly technical training that is geared toward people who already feel comfortable with computer management techniques. This training is however not required as we are happy to continue reviewing and acting on end-user requests.

What do I need to do to enable this service?

We have already enabled the service on your account, after confirming that most legitimate access have been pre-approved, so there is no action needed on your part, other than distributing the end-user instructions for requesting approvals to all your staff.

We already use anti-virus for preventing malicious programs, why do we need this program?

While anti-virus programs do a good job of blocking known malicious programs and behaviors, hackers are increasingly using known legitimate system tools and programs to abuse the system and gain a foothold on computers (it’s called “living-off-the-land” hacking) and the best antivirus are not equipped to deal with this particular threat. The solution is to literally block everything until it is explicitly reviewed and approved.

We already use AutoElevate for authorizing end-users to run programs as administrator, why do we need this program?

While AutoElevate has served us well since we started deploying it over a year ago, we have found that its architecture may cause problems during authorization. We also realize that the program lacks the granularity afforded by Threat Locker’s policy settings. Since Threat Locker provides an authorized elevation mechanism (and much more), we have decided to retire AutoElevate as part of the rollout of Threat Locker.